Stop users from adding or changing rights on shared or home folders

We have a Windows Server 2003 two-node cluster that we're using for home folders and regular shared folders for our users.  I come from a Novell background, so, am used to stopping users from being able to change rights to their home or shared folders, yet still do anything they want IN their folders, and, I need to be able to do the same using NTFS permissions.

I also need to run Disk Quotas, to limit each user to a certain amount of file storage.  These two wants seem mutually exclusive.

I understand to stop users from changing file permissions, I just need to remove the Atomic Right Change Permissions, but, I also understand that if a user Owns a file or folder, then they can do anything they want to the permissions of that file or folder, and, unless they own their files, Disk Quotas has nothing to count.

What's the answer?

Who is Participating?
Why do you want to prevent the users from changing NTFS permissions?  If the purpose is to prevent them from leaving their home directories open to others, why not just restrict the share permissions and leave them with full control of the files and folders?  

You should be able to take away ownership or full control of the *share* from the users without affecting their control or ownership over the folders.   Even if other users have permissions on the folders, they won't be able to get to them if they have no permissions on the share.
Rich RumbleSecurity SamuraiCommented:
You can do this easily. Calcs or XCalcs can do these in a script;EN-US;825751
Deny then "C" and "D" and they cannot change or take ownership;en-us;320046
With any program or technique your not very fimilar with, take caution and TEST TEST TEST before making this a live change or rolling this out. Be sure to back up all data before hand as a precaution.
Here is a good summary also to help you

Another good utility is: setacl
wbradleyAuthor Commented:
Carlo, our Home Folders and Shared Folders are setup so that each are accessible via a single share (two different shares for each type of folder) above the level of the actual folder itself, with Everyone getting Full Rights, and only the user or group having rights on the folder itself, so, if they have ownership, they can allow anyone to get in, or worse, remove critical groups like System or Administrators.  Since these folders are all on a cluster, I didn't want to use individual shares for EACH folder.  Thanks.

Rich, I CAN change rights on the folders any way I want, but, if I want to use Disk Quotas, the user has to have ownership, and, once they have ownership, then, no matter what restrictions they had, they can now do anything that they want.  Thanks.
wbradley, carlos is correct (if I understand him correctly).  The home share should be set to modify.  If you set it to full control, then the owner of a file or folder can change permissions irregarless of how you set ntfs permissions.  By setting the share to modify, you can configure the ntfs permissions the way you want, and they wont be able to change it (I'd recommend not giving them full control, just modify (ntfs).  This doesn't break disk quotas unless they've taken away admin rights and you must sieze ownership to fix the ntfs settings.  And it allows the users to do everything else they need to do.

Now if you want to force the top level user directory permissions to be immutable (\\server\home\username), but let them change the lower level permissions (\\server\home\username\wildwest), I have no idea if that is possible.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.